CyberInsecure.com

Archive for the ‘Mobile’ Category

A new Android app makes hijacking other people’s Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks. Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.

“It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK),” the developer writes. FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.

So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S (Galaxy S T-Mobile), Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black – original rom, LG Optimus 3D – original rom, Samsung Infuse.

Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.

Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims’ accounts.

Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.

At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.

Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.

FaceNiff app homepage: http://faceniff.ponury.net

Credit: Softpedia.com News

A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec. The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation.

In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls. By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.

The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave.

Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.

XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks. Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.

In October last year, French security researchers demonstrated two information stealing worms that worked by exploiting cross-site request forgery and cross-site scripting vulnerabilities on Facebook.

According to Symantec’s Candid Wueest, Facebook has since addressed the vulnerability. “Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attacks,” he says.

Last year Twitter was hit by a massive and more resilient XSS worm that locked hundreds of thousands of users out of their accounts.

Credit: Softpedia.com News

Apple is leaving some of its older mobile devices unprotected with its latest patch batch. An iOS 4.3 update, which includes a number of critical security fixes, is incompatible with the still widely used iPhone 3G and older versions of the iPod Touch. The latest version of Apple’s mobile software can only be applied on the iPhone 3GSs and later models; the iPod Touch 3rd generation and later models; as well as all versions of the iPad.

Security fixes bundled with the release include protection against the risk posed by maliciously-crafted TIFF image files and security fixes against multiple memory corruption issues in WebKit, the engine behind the Safari browser.

Security firm Sophos warns that the omission of the fixes leaves users of older iPhone and IPod Touches at heightened risk of drive-by download attacks from booby-trapped websites. The latest version of the OS includes tethering functionality and the ability to stream music between devices across home wireless networks, among other functionality improvements.

“There might be a hardware reason why the latest version of the software can’t be run on older devices,” a Sophos spokesman explained. “Even so, Apple could still release an update for Safari for older devices, the most problematic omission. “Apple should still produce patches, otherwise security conscious people would have to upgrade.”

The handful of malware strains to have infected iPhone devices thus far have only infected jailbroken devices. Although it hasn’t yet happened, mobile malware spreading via browser vulnerabilities is a potential threat, Sophos argues.

In related news, Apple also released a new version of its Safari browser for desktops on Wednesday. Safari version 5.0.4 covers a total of 62 security vulnerabilities. Both Windows and Mac users need to update their software.

The vast majority (57 of the 62, by Sophos’s count) of the security bugs tackled by the update lend themselves to exploitation simply by tricking a surfer who is running vulnerable versions of the software into visiting a maliciously constructed website, a favourite hacker trick.

Credit: The Register

Chinese hackers are distributing a mobile trojan to users as a repackaged version of the Android Market security update released by Google last week.

Repackaging legit Android apps with trojans is becoming a common propagation method for mobile malware targeting Google’s operating system. The trend began in Russia, where the motivation behind the malicious programs was to steal credit by silently sending text messages to premium rate numbers.

Then it moved to China where more sophisticated Android malware variants were caught performing click fraud or displaying botnet-like capabilities. The problem reached a global audience when over 50 apps were rigged with a trojan and published on the Android Market under different names.

Google took them down last week shortly after being notified and used the remote uninstall feature to remove the trojan from infected devices. However, the malware also used a public exploit to root the device before installing itself, so the company also pushed an over-the-air update called “Android Market Security Tool” to undo it.

Security researchers from F-Secure and Symantec now warn that Chinese hackers have ironically repackaged this security tool with a new trojan dubbed Android.Bgserv.

Like most Android malware, Bgserv sends device identification codes (IMEI) to a remote server and can receive commands. According to Symantec, it can be ordered to send SMS messages to a number specified by attackers which means it can theoretically be used to steal credit.

“Analysis of the application is still ongoing, however, what is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License,” the Symantec experts write.

The trojanized app is distributed from unregulated market places, which are common in China where there is no official Android Market. “This malware appears to be specific to a mainland Chinese network, as it contacts the number 10086 (related to China Mobile Net) and uses the new APN with the name ‘cmnet’ inserted in the APN list,” note security researchers from F-Secure.

Credit: Softpedia.com News

German security researchers have demonstrated that passwords stored on a stolen or lost iPhone can be retrieved in around six minutes even if the device is locked.

Researchers Jens Heider and Matthias Boll from the Fraunhofer Institute for Secure Information Technology (SIT) have published a paper and a video demonstration of their findings.

In order to get access to the phone and unlock access to the file system., the hackers used publicly available jailbreaking tools. They then uploaded a specially designed script able to scrape passwords stored in the device’s keychain. Their decryption was done using OS functions.

The extracted passwords corresponded to website accounts from Safari, Yahoo! Mail, Google Mail, WiFi, voicemail, MS Exchange, IMAP, LDAP, VPN and other services.

The purpose of the research was to demonstrate that stolen or lost iPhones can pose security risks not only to data stored on the devices itself, but also on external services. Furthermore, the iOS device encryption feature gives users a false sense of security, because in reality this protection mechanism can be easily bypassed.

“Owner’s of a lost or stolen iOS device should therefore instantly initiate a change of all stored passwords,” the researchers advise. “Additionally, this should be also done for accounts not stored on the device but which might have equal or similar passwords, as an attacker might try out revealed passwords against the full list of known accounts,” they add.

As far as companies are concerned, when loosing an iOS device they should consider immediately revoking VPN and wireless passwords. The remote wipe functionality might also be used.

The two researchers judge their attack’s complexity as low, because they used tools freely available on the Internet and creating the script only required moderate programming skills.

Credit: Softpedia.com News

A whitehat hacker has cracked the digital rights management system enforced by Microsoft on Windows Phone 7 and demonstrated a simple method which allows users to install any application from the Windows Phone Marketplace for free. Hardware hackers also claim to have uncovered the private key used by Sony to authorize code to run on PlayStation 3 systems. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack.

The Windows Phone Marketplace is Microsoft’s online store for Windows Phone 7 applications and allows users to browse, try and install free or commercial apps. A few days ago, a user posted on the XDA forums a guide with what is needed to crack the protection of the Windows Phone Marketplace.

Most of the steps in that guide were already doable to some extent except one – removing the XAP (app installer format) signature. However, it wasn’t long until someone took it up as a challenge. WPCentral reports that a developer created a simple application, which allow people to download and crack any XAP file from the official marketplace.

The tool was demoed in a video, but has not been publicly released. Also, no information about how it actually achieves the signature stripping was provided. Instead, WPCentral and the whitehat hacker contacted Microsoft and give them the details so they can start working on a fix.

The issue is pretty serious, because if one developer can do it, then sooner or later others will figure out too and not all of them might be adepts of responsible disclosure. In the end, DRM systems will always be prone to hacking. Someone will eventually figure out a way to bypass them.

The Windows Phone 7 community, which is still fairly limited, will probably end up having access to alternative marketplaces like Cydia for people with jailbroken iPhones.

Different hackers recently uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn’t the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin.

Bugs in iPad applications used by numerous newspapers and magazines to deliver digital content to their paying subscribers, can be exploited to access it for free.

The problems were discovered by a group of Italian hackers called DarkApples and were originally reported [Google translation] in the Italian newspaper Il Post (The Post).

Adobe’s Digital Content Viewer technology, which is used by many publications, including Wired, The New Yorker, iGIZMO, Corriere della Sera or Gazzetta dello Sport, seems to be the most vulnerable one. This extremely simple exploitation method suggests that Adobe’s technology was designed with little regard for security.

According to the hackers, it’s only necessary to edit a settings file (.plist) and change an option from “no” to “yes” in order to turn a publication from purchasable to viewable. Such a modification will cause a “Download” button to appear for a subscription instead of a “Buy” one and will result in users having free access to the content.

In order to edit the .plist file, users need to connect the iPad to a computer and use freely available tools like iPhone Explorer to browse the contents of the device.

Also, while for publications offering long-term subscriptions this is a one-time hack, for others the process might need repeating when new issues are released.

“We have confirmed that it is possible for experienced users with detailed instructions to access some digital publications on the iPad that have not been purchased. We are working on a fix and expect to deliver a new version of our Digital Content Viewer to publishers on Friday, October 8,” Adobe said in a statement.

However, according to the Huffington Post, the hack was still working on Monday. Granted, this might not be Adobe’s fault, as the company only provides the technology. It’s the publishers’ job to update their individual apps and get them out to existent subscribers through whatever mechanisms they have in place for that.

Il Post reports that Adobe’s Digital Content Viewer is not the only technology vulnerable to such attacks. Others have similar bugs, but exploitation requires advanced tools and more technical knowledge.

Credit: Softpedia.com News

Chris Paget, a security researcher known for his work in the field of radio communications security, demonstrated how GSM phone calls can be intercepted with inexpensive equipment at the DEFCON hackers conference in Vegas. The technique exploited a loophole in current GSM implementations.

Paget made a name for himself by exploiting flaws in Radio-frequency identification (RFID) technology used in Enahnced Driver Licenses (EDLs), as well as electronic ID and passport cards. In the past the researcher demonstrated how information stored on RFID tags embedded in these government-issued documents can be sniffed with off-the-shelf equipment while driving around in a car.

This year he returned at the Black Hat technical security conference and showed how the same RFID tags can be read from much longer distances. With some custom-made equipment the researcher was able to hit a 217 feet range, smashing the previous record of 69. He also claims that by cranking up the power, the device can read tags from well over 500 feet.

However, his most impressive presentation yet was at DEFCON, the largest annual hackers conference in the world, that immediately follows Black Hat. There he managed to wow the audience by intercepting mobile phone calls made by attendees in the room.

To pull off this feat he used a device dubbed the “IMSI (International Mobile Subscriber Identity) catcher”, which he built with cheap and readily available components. The equipment is capable of mimicking an AT&T cell tower operating in the 900MHz band and tricks mobile phones into connecting to it.

The IMSI catcher exploits the fact that in U.S. the 900 MHz frequency range is used by amateur radios, while in most other parts of the world, including Europe, it is used by GSM networks. The problem is that, for compatibility reasons, many mobile phones sold in the United States are capable of operating over the 900 MHz band.

“During the talk at least 30 handsets connected to my tower; there were probably many more than this but the logs were all destroyed on-stage (I broke the USB key into several pieces [...]). Logged data included IMSI, IMEI, all numbers that were dialed, and of course audio recordings of all calls made (a total of 17 calls were connected during the talk),” the researcher writes on his blog.

Since phone call interception is illegal, the U.S. Federal Communications Commission (FCC) expressed concerns prior to the talk. There were also rumors of AT&T intending to intervene and stop the demo from happening. However, Paget enlisted the legal guidance of the Electronic Frontier Foundation (EFF) and to keep the exposure to a minimum, he tweaked the power of his device so the experiment wouldn’t affect people outside the conference room.

Credit: Softpedia.com News

Mobile malware that affects Symbian Series 60 handsets is being used to create a botnet.

Security firm NetQin claims as many as 100,000 smartphones have been compromised with the malware, which typically poses as a game and affects Series 3 and % Symbian devices. NetQin said the malware is programmed to send SMS messages from compromised devices.

“These botnets do one of two things; send messages to all the contacts of the address book directly, or send messages to the random phone numbers by connecting to a server,” NetQin explains in a blog posting.

“The viruses will delete the sent messages from the user’s Outbox and SMS log. All messages contain URLs linked to malicious sites that users won’t be able to see until after they’ve fallen into the virus trap.”

The Symbian Foundation said that the certificate used to sign has been revoked, so providing revocation checking is enabled on a phone the malware will not run. Symbian downplayed the threat of the malware which a spokesman described as posing only a “very minor threat”, V3.co.uk reports.

Credit: The Register

AT&T has exposed the email addresses of more than 114,000 early adopters of Apple’s iPad, a security breach that could make some of the world’s most elite celebrities and executives vulnerable to phishing attacks, Gawker reports.

According to an article published Wednesday, the vulnerability in AT&T’s website was exploited by Goatse Security, the same grey-hat group that exposed Firefox-based attacks on IRC, wreaked havoc on Amazon sales rankings, and pioneered some of the most foul images found on the internet. As a result, email addresses for New York Times Co. CEO Janet Robinson, ABC Newswoman Diane Sawyer, film mogul Harvey Weinstein, and New York Mayor Michael Bloomberg have been exposed.

The breach also exposed the ICC-ID, or integrated circuit card identifier, for the group of 114,067, which were all early adopters of the iPad 3G. It appears the information is of little use to attackers, but Gawker said the possibility exists for it to be used to spoof individual iPads on AT&T’s network.

According to the report, Goatse obtained the data by exploiting a vulnerable web application on AT&T’s site that matched ICC-IDs with email addresses. By writing a script that bombarded the site with thousands of possible ICC-ID numbers, the group was able to obtain the email addresses. To make their exploit work, members had to lace their requests with an iPad-style user agent header.

Gawker said reporters alerted AT&T to the breach on Monday, and the hole was closed. Shortly after the article was published, the carrier acknowledged the breach, and said it would alert customers after an investigation is completed. So far, Apple has yet to comment on the report.

Other iPad users who were affected included executives at Dow Jones, Conde Nast, Viacom, Google, Amazon, Microsoft, and AOL. Top people inside some of the nation’s most sensitive organizations were also exposed, including William Eldredge, who commands the largest strategic bomber group in the US Air Force, Gawker said. It’s possible other groups exploited the same vulnerable web app to make off with a much larger cache of email addresses, Goatse said.

Credit: The Register